How developers sharpen their skills

What makes modern secure coding training So sharpen developers their skills

Anyone who wants to code securely needs best practices and up-to-date knowledge. Although developers like to use the latter, they often regard training programs as a disruptive interruption to the actual work. Efrat Yahav, Customer Success Manager at Checkmarx, explains how interactive training and gamification can help.

Company on topic

Gamification is very suitable for exciting cybersecurity simulations.

(Picture: © artinspiring – stock.adobe.com)

Security-relevant vulnerabilities in software are not a blemish, but can cause massive damage to companies. So developers need to do everything in their power – and put all their skills and knowledge to the test – to develop safe products. This also means that you must have the right to stop insecure releases and point out security-related vulnerabilities of existing applications as soon as you encounter them. If you feel that you lack the necessary skills and qualifications to achieve this, the company must provide you with the opportunity to acquire this knowledge – usually in training and education.

The range of training courses and platforms in the field of secure coding is huge, ranging from classic frontal lessons to lengthy online presentations and interactive secure coding tournaments embedded in the daily lives of developers. At first glance, finding your way around this wide range is anything but easy. The following five aspects must be taken into account when selecting and implementing a modern application security and awareness program…

1. Avoid frontal lessons and boring online trainings

Anyone who has already had to take part in a mandatory online security training in the course of compliance checks knows how time-consuming and monotonous these courses can sometimes be. Often the participants only have to work through one presentation after the other. The next step is to answer a series of multiple-choice questions-all of which are designed to mislead the participants rather than actually test the level of knowledge.

2. Rely on compact and interactive sessions

Such trainings, which are all about checking off checklists, are not only useless, but also dangerous. But do we know how to do it better? Yes: With compact, easily digestible and interactive sessions instead of tedious and boring sessions. Thus, the participants repeatedly achieve small successes, which add up to a large and sustainable progress. For example, instead of working through an endless list of slides on XSS, you should present your team with small challenges within the development environment that show practical examples of how to protect yourself from XSS vulnerabilities. This makes learning and sticking to it fun, and the lessons stay stuck permanently.

3. Use the possibilities of gamification

Gamification refers to the application of game design elements and gaming principles outside the context of a game. The benefits of gamified training are well known: it is proven that we learn better and stay receptive for longer if we have fun while learning, follow a clever story and take an active role. Since developers spend most of their day in front of a screen and looking at lines of code, they value such casual and playful trainings far more than boring lessons. And gamification is also very suitable for exciting cybersecurity simulations, such as scenarios in which attackers exploit vulnerabilities and defenders have to close the gaps.

4. Convey knowledge always context-based

But classical frontal teaching is not only inefficient because it lacks playful elements. There is also a lack of context: as soon as you tear your devs out of the development environment, they break through the daily processes and make it difficult for you to recall concrete problems. The input should therefore always be provided where it is needed: when coding. Ideally, the training platform should automatically alert the developer to safety-related errors during programming, explain them in a short, playful training session, and then provide practical tips for fixing them.

5. Keep an eye on your AppSec awareness metrics!

When you invest in AppSec and awareness training, you also need to be aware at all times whether this investment is paying off – and whether the risk potential in the area of software security is actually decreasing. In order to ensure continuous improvement, it is important to accurately document the progress of your development teams and to constantly re-evaluate AppSec awareness. This allows you to know at any time whether and in which areas the developers still need further training, track progress and document it to management and avoid repeat errors.

Additional information

Three simple steps to help you develop safer

1. Work with audited frameworks

Using common IT frameworks such as Ruby-On-Rails will help you develop secure software. Because many companies work with these frameworks, many hackers also try to lever out their defense systems. And this in turn leads to the fact that once identified vulnerabilities are usually corrected immediately. So, using such a framework makes it easy for you to adhere to basic secure coding practices because they are already firmly anchored in the framework. Of course, no framework is perfect, and none is 100 percent reliable in preventing you from writing unsafe code. But the few instances where this is possible are known and well documented.

2. Access Proven Crypto Libraries

As a developer, you surely know the warning: “Don’t roll your own crypto library.”That’s perhaps the best advice you can give a developer. Because the hard truth is that even in the simplest scenarios, it’s really hard to get crypto processing clean. If you work with your own Crypto libraries, your software will always have gaps. Fortunately, a number of robust and secure Crypto libraries such as libsodium or Bouncy Castle are available today. If you stick to these, you don’t risk your application becoming tappable due to a faulty crypto implementation.

3. Conduct security reviews regularly

Have the security of your applications regularly evaluated by independent third parties. Such reviews are essential because they help expose unusual vulnerabilities and points of attack. And as more and more new vulnerabilities are discovered day by day, attackers also have more and more ways to exploit them. External reviews are an important first step in minimizing the risk of an attack.

Conclusion

Security is increasingly becoming an integral and automated part of software development, and the application security experts of many companies today work closely with the development departments to make their own applications more secure. At the same time, there may be discussions about who is responsible for application security in which sub-area. At its core, however, developers, app-sec experts, and DevOps leaders all know that security is ultimately a collaborative project that will only succeed if everyone involved pulls together. This includes ensuring compliance with secure coding practices throughout the SDLC – and up-to-date playful and context-based training approaches are a good way to set the course.

About the Author: Efrat Yahav is Customer Success Manager at Checkmarx.

(ID:47473718)